CVE-2026-7518
Denial of Service in Open5GS AMF SBI Endpoint
Publication date: 2026-05-01
Last updated on: 2026-05-01
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open5gs | open5gs | to 2.7.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Open5GS up to version 2.7.7 causes the Access and Mobility Management Function (AMF) to crash when processing a specific HTTP POST request to the endpoint /namf-callback/v1/{id}/sdmsubscription-notify.
The crash happens because the AMF's parser accepts a malformed request where the changeItem in the ModificationNotification is missing the newValue field. Later, the function amf_namf_callback_handle_sdm_data_change_notify attempts to dereference this missing newValue, leading to a segmentation fault and causing the AMF process to terminate unexpectedly.
This flaw can be exploited remotely with a single HTTP request, resulting in a denial of service by crashing the AMF component.
How can this vulnerability impact me? :
The vulnerability can cause a denial of service by crashing the AMF process in Open5GS, which is a critical component in 5G core networks.
An attacker can remotely trigger this crash with a specially crafted HTTP POST request, causing the AMF to terminate abnormally and potentially disrupting network services that rely on it.
This disruption can lead to service unavailability or degraded performance in mobile network operations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for abnormal crashes or termination of the AMF process in Open5GS when it receives HTTP POST requests to the endpoint /namf-callback/v1/{id}/sdmsubscription-notify.
Specifically, detection involves checking for segmentation faults or denial of service triggered by malformed ModificationNotification messages where the changeItem.newValue field is missing.
You can use network monitoring tools or HTTP request logging to identify suspicious POST requests to the vulnerable endpoint.
- Use tcpdump or Wireshark to capture HTTP POST traffic to /namf-callback/v1/*/sdmsubscription-notify.
- Example tcpdump command: tcpdump -i <interface> -A 'tcp port 80 or 443' | grep '/namf-callback/v1/'
- Check Open5GS AMF logs for crashes or segmentation faults related to the callback endpoint.
- Use system commands like 'journalctl -u open5gs-amf' or 'ps' to monitor AMF process status.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include monitoring and restricting access to the vulnerable AMF SBI Endpoint /namf-callback/v1/{id}/sdmsubscription-notify to prevent malicious HTTP POST requests.
Implement network-level filtering or firewall rules to block unauthorized or suspicious requests targeting this endpoint.
If possible, apply input validation or patch updates from Open5GS once available to ensure the AMF properly rejects malformed requests instead of crashing.
In the meantime, monitor the AMF process for crashes and restart it promptly if it terminates unexpectedly.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.